How to encrypt password sent to server
https://stackoverflow.com/questions/9742351
-
24-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm trying to send username and password data from a web form to my server.
The password is sent as plain text over a https connection, then properly encrypted on the server (using python hashlib.sha224) before being stored, however I'm not sure how to transmit the password text to the server in an encrypted format.
My web client is written in javascript, and the server is written in python.
Solution
You'd have to encrypt it in the JavaScript. Unfortunately JavaScript does not offer any cryptographic tools out of the box, so you'd have to either use a third-party library or write something on your own.
As others have said, HTTPS is meant to encrypt the whole traffic, so perhaps you don't need anything extra? If you do however, you may want to look at this Article, which might shed some light on the problem. Good luck ! :)
OTHER TIPS
Actually you transmit the password encrypted, because you use SSL. Furthermore you do not encrypt the password, you hash the password on the server.
Anyway, you can use something like jCryption for it. crypt-js could also fit your purpose.
For python there is a Crypto Library called PyCrypto. But I have a Problem with the communication between Javascript and Python. I try to do something similar, but have a problem with it. I think my question will help you with yours.
Include nonce and block count in PyCrypto AES MODE_CTR
But in general, you have already solved the problem on your own, by using https.
https is an encrypted format. You're good.
If you want to do it clientside anyway I recommend hashing it with sha1. This guy seems to have some libs for that: http://pajhome.org.uk/crypt/md5/ - SHA1, sha256, md5, etc.
The HTTPS channel over which you send the password to the server provides encryption that is good enough.
However, you need a more secure storage mechanism for the password. Use an algorithm like "bcrypt" with many thousands of hash iterations (bcrypt calls this the cost factor, and it should be at least 16, meaning 216 iterations), and a random "salt". This works by deriving an encryption key from the password, which is a computationally expensive process, then using that key to encrypt some known cipher text, which is saved for comparison on future login attempts.
Also, using HTTPS on the login only is not sufficient. You should use it for any requests that require an authenticated user, or that carry an authentication cookie.
On the contrary to http, https is an encrypted protocol. You don't need additional encryption between the client and the server.
SHA224, SHA1 or MD5 are not a encryption, but a hashing function, which means they are irreversible.
Some answers suggest hashing passwords client-side. However, irreversible doesn't mean uncrackable. Having plain password hashed, it is relatively easy to obtain the matching password from hash (see Rainbow tables for example).
Therefore you should not hash the password on the client side, but concatenate it with a some arbitrary string selected on the server side (usually called a salt) and hash the result.
